19262735 The file probe needs to be zone aware s11-update
authorJacob Varughese <jacob.varughese@oracle.com>
Tue, 07 Oct 2014 16:44:00 -0700
branchs11-update
changeset 3373 9de01e7a073b
parent 3372 f6c81429f70b
child 3376 8e9db14cbe2d
19262735 The file probe needs to be zone aware 19173594 oscap crashes when compliance is run 19559867 compliance fails when no network interface are defined
components/openscap/Makefile
components/openscap/patches/system_info3.c.patch
components/openscap/patches/system_info4.c.patch
components/openscap/patches/zone_file_fix_opt.c.patch
components/openscap/resolve.deps
--- a/components/openscap/Makefile	Mon Oct 06 23:00:15 2014 -0700
+++ b/components/openscap/Makefile	Tue Oct 07 16:44:00 2014 -0700
@@ -66,7 +66,7 @@
 CONFIGURE_OPTIONS +=	--libexecdir=$(CONFIGURE_LIBDIR.$(BITS))
 CONFIGURE_OPTIONS +=	am_cv_python_pythondir=$(PYTHON_VENDOR_PACKAGES)
 CONFIGURE_OPTIONS +=	am_cv_python_pyexecdir=$(PYTHON_VENDOR_PACKAGES)
-CONFIGURE_OPTIONS +=	LIBS="-lsocket -lnsl -lldap_r -lscf -ldlpi -lsec"
+CONFIGURE_OPTIONS +=	LIBS="-lsocket -lnsl -lldap_r -lscf -ldlpi -lsec -lzonecfg"
 CONFIGURE_OPTIONS +=	--with-report-branding="/usr/share/lib/xml/style/os-logo.xsl"
 
 DOCS_DIR = $(PROTO_DIR)/usr/share/docs/openscap/html/
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openscap/patches/system_info3.c.patch	Tue Oct 07 16:44:00 2014 -0700
@@ -0,0 +1,50 @@
+This patch fixes the issue, where the system_info probe crashes on solaris,
+ when the network interfaces cannot be detected. Fix provides the default
+ loop back interface as default.
+
+This patch has not been contributed upstream, but is planned to be done by
+ 2014-Aug-15.
+
+
+--- openscap-1.0.0/src/OVAL/probes/independent/system_info.c.~2~	2014-07-24 11:02:52.698291479 -0700
++++ openscap-1.0.0/src/OVAL/probes/independent/system_info.c	2014-07-25 11:20:07.096049635 -0700
[email protected]@ -170,6 +170,7 @@
+        char host[NI_MAXHOST], *mac;
+        SEXP_t *attrs;
+        SEXP_t *r0, *r1, *r2;
++	int item_added = 0;
+ 
+        if (getifaddrs(&ifaddr) == -1)
+                return rc;
[email protected]@ -213,8 +214,6 @@
+ 				goto leave2;
+ 			}
+ 		}
+-
+-
+ 	        attrs = probe_attr_creat("name",
+                                  r0 = SEXP_string_newf("%s", ifa->ifa_name),
+                                  "ip_address",
[email protected]@ -223,10 +222,22 @@
+                                  r2 = SEXP_string_newf("%s", mac),
+                                  NULL);
+ 	        probe_item_ent_add(item, "interface", attrs, NULL);
++		item_added = 1;
+         	SEXP_vfree(attrs, r0, r1, r2, NULL);
+ 	}
+ leave2:
+         close(fd);
++	if (item_added == 0) {
++		attrs = probe_attr_creat("name",
++					 r0 = SEXP_string_newf("dummy0"),
++					 "ip_address",
++					 r1 = SEXP_string_newf("127.0.0.1"),
++					 "mac_address",
++					 r2 = SEXP_string_newf("aa:bb:cc:dd:ee:ff"),
++					 NULL);
++		probe_item_ent_add(item, "interface", attrs, NULL);
++		SEXP_vfree(attrs, r0, r1, r2, NULL);
++	}
+ leave1:
+         freeifaddrs(ifaddr);
+         return rc;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openscap/patches/system_info4.c.patch	Tue Oct 07 16:44:00 2014 -0700
@@ -0,0 +1,55 @@
+This patch fixes the issue, where the system_info probe fails on solaris,
+ when the network interfaces cannot be detected. Fix provides the default
+ loop back interface as default. The earlier patch was not a complete fix.
+
+This patch has not been contributed upstream, but is planned to be done by
+ 2014-Oct-15.
+
+
+--- openscap-1.0.0/src/OVAL/probes/independent/system_info.c.~3~	2014-09-18 11:08:42.983747329 -0700
++++ openscap-1.0.0/src/OVAL/probes/independent/system_info.c	2014-09-18 12:41:13.266535881 -0700
[email protected]@ -166,14 +166,16 @@
+ static int get_ifs(SEXP_t *item)
+ {
+        struct ifaddrs *ifaddr, *ifa;
+-       int family, rc=1;
++       int family, rc=0;
+        char host[NI_MAXHOST], *mac;
+        SEXP_t *attrs;
+        SEXP_t *r0, *r1, *r2;
+-	int item_added = 0;
++#if defined(__SVR4) && defined(__sun)
++       int item_added = 0;
++#endif
+ 
+        if (getifaddrs(&ifaddr) == -1)
+-               return rc;
++               return 1;
+ 
+        fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
+        if (fd < 0)
[email protected]@ -222,12 +224,15 @@
+                                  r2 = SEXP_string_newf("%s", mac),
+                                  NULL);
+ 	        probe_item_ent_add(item, "interface", attrs, NULL);
++#if defined(__SVR4) && defined(__sun)
+ 		item_added = 1;
++#endif
+         	SEXP_vfree(attrs, r0, r1, r2, NULL);
+ 	}
+ leave2:
+         close(fd);
+-	if (item_added == 0) {
++#if defined(__SVR4) && defined(__sun)
++	if (item_added == 0 && rc == 0) {
+ 		attrs = probe_attr_creat("name",
+ 					 r0 = SEXP_string_newf("dummy0"),
+ 					 "ip_address",
[email protected]@ -238,6 +243,7 @@
+ 		probe_item_ent_add(item, "interface", attrs, NULL);
+ 		SEXP_vfree(attrs, r0, r1, r2, NULL);
+ 	}
++#endif
+ leave1:
+         freeifaddrs(ifaddr);
+         return rc;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openscap/patches/zone_file_fix_opt.c.patch	Tue Oct 07 16:44:00 2014 -0700
@@ -0,0 +1,169 @@
+This patch fixes an issue with file probe on solaris. The file probe currently
+ is not zone aware and so descends into non-global zones from the global-zone.
+Fix prevents file probe traversal into non-global zones  from the global zone,
+ when local is specified for recursion.
+
+This patch has not been contributed upstream, but is planned to be submitted by
+ 2014-Oct-15.
+--- openscap-1.0.0/src/OVAL/probes/oval_fts.c.~2~	2014-07-24 10:53:15.269589073 -0700
++++ openscap-1.0.0/src/OVAL/probes/oval_fts.c	2014-07-24 11:02:30.267608422 -0700
[email protected]@ -45,6 +45,8 @@
+ #if defined(__SVR4) && defined(__sun)
+ #include "fts_sun.h"
+ #include <sys/mntent.h>
++#include <libzonecfg.h>
++#include <sys/avl.h>
+ #else
+ #include <fts.h>
+ #endif
[email protected]@ -138,6 +140,13 @@
+ #define MNTTYPE_PROC	"proc"
+ #endif
+ 
++typedef struct zone_path {
++	avl_node_t avl_link_next;
++	char zpath[MAXPATHLEN];
++} zone_path_t;
++static avl_tree_t avl_tree_list;
++
++
+ static bool valid_remote_fs(char *fstype)
+ {
+ 	if (strcmp(fstype, MNTTYPE_NFS) == 0 ||
[email protected]@ -160,6 +169,85 @@
+ 		return (false);
+ 	return (true);
+ }
++
++/* function to compare two avl nodes in the avl tree */
++static int compare_zoneroot(const void *entry1, const void *entry2)
++{
++	zone_path_t *t1, *t2;
++	int comp;
++
++	t1 = (zone_path_t *)entry1;
++	t2 = (zone_path_t *)entry2;
++	if ((comp = strcmp(t1->zpath, t2->zpath)) == 0) {
++		return (0);
++	}
++	return (comp > 0 ? 1 : -1);
++}
++
++int load_zones_path_list()
++{
++	FILE *cookie;
++	char *name;
++	zone_state_t state_num;
++	zone_path_t *temp = NULL;
++	avl_index_t where;
++	char rpath[MAXPATHLEN];
++
++	cookie = setzoneent();
++	if (getzoneid() != GLOBAL_ZONEID)
++		return (0);
++	avl_create(&avl_tree_list, compare_zoneroot,
++	    sizeof(zone_path_t), offsetof(zone_path_t, avl_link_next));
++	while ((name = getzoneent(cookie)) != NULL) {
++		if (strcmp(name, "global") == 0)
++			continue;
++		if (zone_get_state(name, &state_num) != Z_OK) {
++			dE("Could not get zone state for %s\n", name);
++			continue;
++		} else if (state_num > ZONE_STATE_CONFIGURED) {
++			temp = malloc(sizeof(zone_path_t));
++			if (temp == NULL) {
++				dE("Memory alloc failed\n");
++				return(1);
++			}
++			if (zone_get_zonepath(name, rpath,
++			    sizeof(rpath)) != Z_OK) {
++				dE("Could not get zone path for %s\n",
++				    name);
++				continue;
++			}
++			if (realpath(rpath, temp->zpath) != NULL)
++				avl_add(&avl_tree_list, temp);
++		}
++	}
++	endzoneent(cookie);
++	return (0);
++}
++
++static void free_zones_path_list()
++{
++	zone_path_t *temp;
++	void* cookie = NULL;
++
++	while ((temp = avl_destroy_nodes(&avl_tree_list, &cookie)) != NULL) {
++		free(temp);
++	}
++	avl_destroy(&avl_tree_list);
++}
++
++static bool valid_local_zone(char *path)
++{
++	zone_path_t temp;
++	avl_index_t where;
++	
++	strlcpy(temp.zpath, path, sizeof(temp.zpath));
++	if (avl_find(&avl_tree_list, &temp, &where) != NULL)
++		return (true);
++
++	return (false);
++}
++
++
+ #endif
+ 
+ static bool OVAL_FTS_localp(OVAL_FTS *ofts, const char *path, void *id)
[email protected]@ -168,9 +256,11 @@
+ 	if (id != NULL && (*(char*)id) != '\0') {
+ 		/* if not a valid local fs skip */
+ 		if (valid_local_fs((char*)id)) {
+-			/* if recurse is local , skip remote fs */
++			/* if recurse is local , skip remote fs 
++			   and non-global zones */
+ 			if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) {
+-				return (!valid_remote_fs((char*)id));
++				return (!(valid_remote_fs((char*)id) ||
++				    valid_local_zone(path)));
+ 			}
+ 			return (true);
+ 		}
[email protected]@ -179,9 +269,11 @@
+ 		/* id was not set, because fts_read failed to stat the node */
+ 		struct stat sb;
+ 		if ((stat(path, &sb) == 0) && (valid_local_fs(sb.st_fstype))) {
+-			/* if recurse is local , skip remote fs */
++			/* if recurse is local , skip remote fs
++			   and non-global zones */
+ 			if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) {
+-				return (!valid_remote_fs(sb.st_fstype));
++				return (!(valid_remote_fs(sb.st_fstype) ||
++				    valid_local_zone(path)));
+ 			}
+ 			return (true);
+ 		}
[email protected]@ -793,6 +884,12 @@
+ 		ofts->ofts_sfilepath = SEXP_ref(filepath);
+ 	}
+ 
++#if defined(__SVR4) && defined(__sun)
++	if (load_zones_path_list() != 0) {
++		dE("Failed to load zones path info. Recursing non-global zones.");
++		free_zones_path_list();
++	}
++#endif
+ 	return (ofts);
+ }
+ 
[email protected]@ -1249,6 +1346,9 @@
+ 	fsdev_free(ofts->localdevs);
+ 
+ 	OVAL_FTS_free(ofts);
++#if defined(__SVR4) && defined(__sun)
++	free_zones_path_list();
++#endif
+ 
+ 	return (0);
+ }
--- a/components/openscap/resolve.deps	Mon Oct 06 23:00:15 2014 -0700
+++ b/components/openscap/resolve.deps	Tue Oct 07 16:44:00 2014 -0700
@@ -4,8 +4,8 @@
 library/libxslt
 library/openldap
 library/pcre
+runtime/perl-512
 runtime/python-26
-runtime/perl-512
 security/compliance/openscap
 system/library
 system/library/gcc-3-runtime
@@ -13,4 +13,5 @@
 system/library/gcc/gcc-c-runtime
 system/library/math
 system/library/security/libgcrypt
+system/zones
 web/curl